No! Thanks for reading (listening).
It could be worth defining what a data breach actually is.
Cyber security people often refer to three essential pillars upon which anyone responsible for data must adhere. They are called the CIA, oddly. Not to be confused with the American super-spy organisation or the FBI, NSA, USPI (US Postal Inspectors of course) or NCIS (whatever the hell that actually is… is it even real?)
The CIA of cybersecurity stands for Confidentiality (can you keep my secret), Integrity (can you make sure my secret cannot be accessed or changed by anyone else), Availability (can anyone else deny me access to it). If somebody screwed up any of these it’s a problem. A data breach is when a company royally screws up the first one, Confidentiality, and allows data about us, that we trusted them to keep on the down low, available to others.
Two of the most high profile examples which occured in 2017 were of course Equifax and Uber. I could easily spend this whole time ripping into the Equifax breach alone but thankfully, John Oliver and Last Week Tonight have already done a stellar job of that. I highly recommend checking that out.
The Uber breach was also super fun and also had in common with Equifax an attempt to cover it up, or, at least pretend it wasn’t happening for a while. The Uber/Equifax policy on disclosure is somewhat akin to Homer Simpson, aptly putting it…”I’ll hide under some coats and hope that somehow everything will work out!”
The Uber breach was extra special in that they actually paid the hackers to shut-up and destroy the data they stole so no worries there right? Because hackers have a really rock solid code of ethics. Uber even said they had evidence to suggest data was destroyed. What evidence exactly was that? A screen shot of an empty directory called “Stuff we Stole from Uber” or perhaps they just send them a empty USB stick in the mail with a post-it note saying “See! Gone! We cool?” I’m not totally convinced. Have a quick surf through Dream Market (other Dark Web Marketplaces are available) and see what’s there.
But how do these things happen in the first place? There’s actually a pretty wide range of ways data can leak out of an organisation. One of the biggest dangers to any organisation is… that’s right it’s Milton over in the corner there. He’s had his desk pushed all the way to the back, and they took his Swingline stapler away so he’s going to set the building on fire. Or worse, just copy some intellectual property or data records onto a portable device and walk right out of the building. Edward Snowdon is still the poster child of the insider threat but many organisations have suffered from it.
One notable figure which received much negative media attention was Morgan Stanley’s Galen Marsh who stole 730,000 data records for years before he was caught. How was he caught?… his server where he hid the data was hacked by Russians. Awesome. It feels kind of like karma doesn’t it. Morgan Stanley most likely had excellent security for outsider threats but all the real hackers had to do with find some dough-head who, maybe didn’t wasn’t a complete newbie about security but certainly didn’t have a Bank’s security team to keep his data safe, and presto… it’s hacker Christmas.
Equifax on the other hand ( I’m almost beating a dead horse here ) is a perfect storm of cyberstupidity and pretend security. At the core of it, was a known published vulnerability in an open source software component called Apache Struts. For those who don’t know, Struts is a very commonly used framework for writing web applications in the Java programming language. This vulnerability was known about in March 2017. Anybody who is anybody in charge of security would have just upgraded and be done. Not Equifax though. That’s a security 101 no-no. Having a vulnerability in your core programming language framework is like finding out the bricks you made your house from are actually paper mache and your house (like Equifax) is nothing more than a kick-ass pinata full of prizes. #Check-my-recommendations-in-both-the-IoT-and-Ransomware-podcasts. Keep your junk up-to-date!
Things of course got worse because it also turned out that they had an Argentinian employee website where the login was “admin” and the password… “admin”. At least it wasn’t “password”. You might now be thinking you should change that default setting on your wifi router, especially if you run an AirBNB.
Just to mix it up I’ll also mention two examples of other key ways in which your data gets sprayed across cyber space and the first of those will be the TalkTalk breach from 2015. In this instance, essentially a kid used a mechanism called SQL Injection to access records in a database. Quickly…an SQL Injection is easily described as… you know when you fill in a form on a website, that data goes to a database and it stored. What if, instead of typing in your login or name or address, you typed in some database query statments. Stopping that from happening is the equivalent of the old days of writing a cheque/check, writing the “$37.68” amount of money on it and drawing that clever line —— afterwards that stops your friendly recipient from adding ‘and a million dollars’. It’s really almost that easy to stop would be hackers from trying that kind of attack. You’re going to detect a theme happening now. Fixes for that type of attack were known and have been available for years and had not been applied. From a hacking perspective an SQL injection is one of the more easily preventable and frankly shouldn’t still be around but older websites are still out there and are still at risk. It’s amazing.
There are lots of other interesting ways that hackers have gotten data records from the rather interesting and complicated Heartbleed bug of 2014 where a guy checked some code in at a few minutes before midnight on New Year’s Eve and that buggy code resulting in JP Morgan’s website spewing data dumps on request (that was a proper zero day hack by the way which is kind of cool), to a far more common occurrence where somebody leaves the door unlocked on an Amazon S3 cloud storage. I’ll do a podcast on “The Cloud” in the coming year. The “Oops” Award for this one goes to Accenture! Yes Accenture as recent as a few months ago got caught with panties down by researcher Chris Vickery. Hey found a treasure of company secrets such as authentication credentials, certificates, decryption key, logs of customer data. Not great for Accenture but at least it looks like the good guys found it first for once.
I could go on and on and on. There were more than 3 billion data records leaked in 2016. 2017 isn’t over but we’re working on smashing that record. Come on 2017!!
WHY do hackers just want data?
The question may remain however…WHY do hackers just want data? Far more often than not the leak data doesn’t contain credit cards or cvv numbers (those 3 digits on the back for rock solid security) or anything they can really use to directly get money from you. So what gives right?
If you listened to my ransomware episode, thanks for listening by the way, I did mention phishing campaigns in which emails arrive looking like interesting and relevant subject matter that might make even the most skeptical and security savvy individual click on it. The social engineering expertise in the hacking community and especially any Nation State funded community is getting higher and higher. Now imagine what they might be able to come up with if they knew your private details of where you bank, perhaps your account number, email and phone numbers and potentially other details. None of which they can use to get money directly from you but they can certainly have enough to build a plausible fraudulent email or just call you up and convince you that they are your bank OR call your bank and convince them that they are you! It’s too easy.
I was travelling in a taxi in San Francisco recently and the driver was friendly, asking me what I did for a living and I asked about how he become a taxi driver and what he’d rather be doing if not driving taxis. We started talking about security and I mentioned the podcast about ransomware. He was absolutely certain he wouldn’t get caught out by a scam. I then gave him a few off the cuff example contents of an email or call, playing back to him information he’d just given me in 5 minutes of traveling about his life, family, their locations, his employment and they asked him… “would you believe I was representing something legitimate?” How easy it was for me to do that freaked him out a little, and he admitted, he was no longer so confident.
This is why data is so important. Hackers find ways to get the data and they either use it themselves or they sell it onto criminal scammers to conduct very targetting boiler room scams and/or email based phishing campaigns. The more data and the more specific the information, the wider the net and the higher likelyhood of catching people out.
I still haven’t revealed the number one way that your data isn’t safe. I’ll leave that to the end to keep the suspense at a peak! I’ve touch upon why your data is so valuable to hackers and scammers but I’d like to quickly dig into what a data breach means to a company that is a victim of it.
The TalkTalk hack I mentioned meant they they were hit with an unprecedented £400k fine. UNPRECEDENTED! Does that sound like a lot of money? I’m sure it does to individuals listening to or reading this. It’s potentially a bit of a stinger I guess but let’s consider that the CEO of TalkTalk who publicly addressed the hack and was actually quite professional about it has a salary of between £2 and £3 Million a year. She could have paid that fine herself and been left with more money than many of us might ever see in more than 10 years. It’s like a parking fine for a company.
I referred to TalkTalk’s CEO as professional in her handling of the breach. What I meant by that is, she told the world and specifically their customers in a responsible, timely fashion. The exact opposite of Equifax who knew about the breach in late July 2017 and sat on it until early September (while key executives sold off their stock which looks fishy). Uber knew about their breach almost a year before revealing it and as I mentioned earlier, try to pay up some hush money to the baddies to make it go away. While the regulations for disclosure of these sorts of things is a bit haphazard at the moment, it generally regarded that 72 hours is how long you’ve got between realising you’ve been compromised to telling those affected. At the moment it feels like a rather rare occurrence that this happens and why would anyone comply with it anyway, if the fines are so relaxed about it given the size of the companies we are talking about.
Far more damaging and more noticeable on a corporate level is stock price. TalkTalk dropped 10%. Equifax dropped around 18% and is still down. That is something that board members and investors don’t like to see. Additionally in the case of Equifax, and Uber several major executive jobs were lost. The CSO (Chief Security Officer) for Equifax is practically in witness protection as her digital identity is slowly be erased from the internet. You might be thinking…good! I tend to agree. I don’t like seeing a career destroyed but, provided they didn’t spend their 7 figure salaries frivolously I think they will be ok. It’s worth mentioning that stock drop is just a symptom of a larger issue for companies and that is reputation. Equifax is not in a good place right now. Uber… well they didn’t really have a reputation to defend but for companies like Accenture this is a big deal and can hang around for a long time.
What is interesting though, is something that is coming into play next year and that is called GDPR. That’s the EU’s General Data Protection Regulation. Having had enough with data breaches, the EU has regulated that companies who are subject to major data breaches involving members of the EU (which for now included the UK) will face penalties of either €20Million OR… and this is great… 4% of total worldwide revenue, whichever is GREATER!! I love it. The GDPR also holds companies accountable for the timeliness of releasing the details to customer. It’s 72 hours. Bravo GDPR and bravo EU!
I’ve never been more excited to do some math! That would mean the same data breach TalkTalk suffered in 2015 for which they were fined an unprecedented £400k would be actually be €20Million or… 4%. Let’s consider that TalkTalks revenue in 2015 was £1,795M (TalkTalk’s Annual Report) ( https://www.talktalkgroup.com/dam/jcr:3ae87c83-4e84-4464-a9df-06dd76eb293d/TalkTalk%20Telecom%20Group%20PLC%20Annual%20Report%202016.pdf ). So that means the fine would be £71.8M which would be 179.5X larger than last time and certainly out of the reach of their CEO’s wallet.
Uber’s fine, based on $6.5Billion in revenue in 2016 would be $260M. Feels good doesn’t it! The fines that were being handed out for a disregard of private customer information were mere slaps on the wrist before GDPR.
Now if you’re thinking that the EU regulation doesn’t apply to Uber perhaps because they are based in the USA, you would be incorrect. The regulation is upheld by the EU as a measure to protect EU citizens and is recognized by the USA. If Uber holds data on EU citizens (and they do), as did Equifax, and Accenture, they are subject to those fines.
Ok last but certainly not least is the big reveal. What is the biggest source of personal data leakage that puts you at risk today?
It’s You. Yes that’s right. Facebook is partly responsible but to be more accurate, it is still you.
I wrote an article a while back which is here (https://www.linkedin.com/pulse/facebook-socially-engineered-hacking-steve-giguere/) using just one example of how your most intimate data can be leeched out of you voluntarily! The example I bought into question was a viral “game” which spread through Facebook which created a tag cloud of your “Most Used Words on Facebook”.
This game involved an external service to compute a image tag cloud post revealing personal trend keywords. It was clever and who wouldn’t want to know more about themselves and then tell all their friends. You might think, only my friend can see the results because you are good with your privacy settings. Except… in order to run this game you had to allow the game/service access to your account so it could mine that data to get the result. The data acquired en mass via this method was far more threatening than most major data breaches. You post messages about your family, your pets, your job, both celebrating and complaining about your most personal moments sharing with your closest Facebook friends… and of course this random company in Korea who now has you’re entire Facebook history and profile. This didn’t even make it only a top 50 list of data breaches because you gave your data away and that is what is quite scary.
We need to understand then when something is offered us a free service, be it Facebook itself or something offered inside Facebook, it isn’t free. Somebody smart once said “If you’re getting something for free, you’re the product”. John Oliver said in terms of the Equifax breach, if Equifax was KFC, we’re the chickens. The reason sites like Facebook, Twitter, WhatsApp etc have value is because they have our data. That data is being sold to somebody. The best case scenario is that it is a marketing firm or advertisements, the worse case is that it’s going to the same people who buy up the data records leaked in high profile data breaches. I’m quite confident Facebook would never sell data to anyone malicious but this game company could easily be a pop-up data mining company which, has more data than most data breaches could release and had done nothing illegal to get it.
How can we be better… well it’s a difficult one isn’t it. Thankfully things like GDPR are going to do a much better job of making companies accountable for our data and hopefully they will take security a bit more seriously in the future. You should be more aware with some of the games that Facebook allows to be embedded within its feeds. If it takes you outside of Facebook, it’s be wary. When something asks for permission to access your Facebook data, do check how much access it is asking for instead of just clicking OK. Ideally just skip that game entirely. You’ll live.
I’ll end with the biggest data breach of all time which I haven’t even mentioned yet. It happened way back in 2013 but it’s still the holding the title.
The Winner of Worst All Time Data Breach is….
YAHOO! No I meant the company, Yahoo. They are is still the winner of the biggest ever data breach with 3 Billion Data Records lost.
Ever had a Yahoo account? Bad guys have your password. Did you use that same 2013 password anywhere else?
Bad guys have THAT password too.
You do have 2 factor authentication enabled don’t you?
Codifyre has an upcoming podcast on that: A Idiots Guide to Passwords. It’ll be out on the 10th of January 2018.
Data security by Jerry Seinfeld
MySpace breach could be the biggest ever – half a BILLION passwords!